Common Vulnerabilities and Exposures by NIST

CVE-2014-0355 N/A

2014-04-15 2014-04-15

Multiple stack-based buffer overflows on the ZyXEL Wireless N300 NetUSB NBG-419N router with firmware 1.00(BFQ.6)C0 allow man-in-the-middle attackers to execute arbitrary code via (1) a long temp attribute in a yweather:condition element in a forecastrss file that is processed by the checkWeather function; the (2) WeatherCity or (3) WeatherDegree variable to the detectWeather function; unspecified input to the (4) UpnpAddRunRLQoS, (5) UpnpDeleteRunRLQoS, or (6) UpnpDeletePortCheckType function; or (7) the SET COUNTRY udps command.

Vendor(s): N/A

Affected OS(s) / software(s): N/A

CVE-2014-0356 N/A

2014-04-15 2014-04-15

The ZyXEL Wireless N300 NetUSB NBG-419N router with firmware 1.00(BFQ.6)C0 allows remote attackers to execute arbitrary code via shell metacharacters in input to the (1) detectWeather, (2) set_language, (3) SystemCommand, or (4) NTPSyncWithHost function in management.c, or a (5) SET COUNTRY, (6) SET WLAN SSID, (7) SET WLAN CHANNEL, (8) SET WLAN STATUS, or (9) SET WLAN COUNTRY udps command.

Vendor(s): N/A

Affected OS(s) / software(s): N/A

CVE-2014-0357 N/A

2014-04-15 2014-04-15

Amtelco miSecureMessages allows remote attackers to read the messages of arbitrary users via an XML request containing a valid license key and a modified contactID value, as demonstrated by a request from the iOS or Android application.

Vendor(s): N/A

Affected OS(s) / software(s): N/A

CVE-2014-0358 N/A

2014-04-15 2014-04-15

Multiple directory traversal vulnerabilities in Xangati XSR before 11 and XNR before 7 allow remote attackers to read arbitrary files via a .. (dot dot) in (1) the file parameter in a getUpgradeStatus action to servlet/MGConfigData, (2) the download parameter in a download action to servlet/MGConfigData, (3) the download parameter in a port_svc action to servlet/MGConfigData, (4) the file parameter in a getfile action to servlet/Installer, or (5) the binfile parameter to servlet/MGConfigData.

Vendor(s): N/A

Affected OS(s) / software(s): N/A

CVE-2014-0359 N/A

2014-04-15 2014-04-15

Xangati XSR before 11 and XNR before 7 allows remote attackers to execute arbitrary commands via shell metacharacters in a gui_input_test.pl params parameter to servlet/Installer.

Vendor(s): N/A

Affected OS(s) / software(s): N/A

CVE-2013-5704 N/A

2014-04-15 2014-04-15

The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such."

Vendor(s): N/A

Affected OS(s) / software(s): N/A

CVE-2013-5705 N/A

2014-04-15 2014-04-15

apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header.

Vendor(s): N/A

Affected OS(s) / software(s): N/A

CVE-2014-0341 N/A

2014-04-15 2014-04-15

Multiple cross-site scripting (XSS) vulnerabilities in PivotX before 2.3.9 allow remote authenticated users to inject arbitrary web script or HTML via the title field to (1) templates_internal/pages.tpl, (2) templates_internal/home.tpl, or (3) templates_internal/entries.tpl; (4) an event field to objects.php; or the (5) email or (6) nickname field to pages.php, related to templates_internal/users.tpl.

Vendor(s): N/A

Affected OS(s) / software(s): N/A

CVE-2014-0342 N/A

2014-04-15 2014-04-15

Multiple unrestricted file upload vulnerabilities in fileupload.php in PivotX before 2.3.9 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) .php or (2) .php# extension, and then accessing it via unspecified vectors.

Vendor(s): N/A

Affected OS(s) / software(s): N/A